Packet classification for network routing

ABSTRACT

Techniques for packet classification for network routing are disclosed. In some embodiments, packet classification for network routing includes receiving packets associated with a new flow at a security controller from a network device, in which the network device performs packet forwarding; classifying the flow; and determining an action for the flow based on a policy (e.g., a security policy). In some embodiments, the network device is a Software Defined Network (SDN) network device (e.g., a packet forwarding device that supports the OpenFlow protocol or another protocol).

CROSS REFERENCE TO OTHER APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/927,761, entitled PACKET CLASSIFICATION FOR NETWORK ROUTING filedJul. 13, 2020 which is incorporated herein by reference for allpurposes, which is a continuation of U.S. patent application Ser. No.15/250,156, now U.S. Pat. No. 10,757,074, entitled PACKET CLASSIFICATIONFOR NETWORK ROUTING filed Aug. 29, 2016, which is a continuation of U.S.patent application Ser. No. 13/954,668, now U.S. Pat. No. 9,461,967,entitled PACKET CLASSIFICATION FOR NETWORK ROUTING filed Jul. 30, 2013,which claims priority to U.S. Provisional Patent Application No.61/847,982 entitled PACKET CLASSIFICATION FOR NETWORK ROUTING filed Jul.18, 2013, all of which are incorporated herein by reference for allpurposes.

BACKGROUND OF THE INVENTION

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device or a set of devices, or software executedon a device, such as a computer, that provides a firewall function fornetwork access. For example, firewalls can be integrated into operatingsystems of devices (e.g., computers, smart phones, or other types ofnetwork communication capable devices). Firewalls can also be integratedinto or executed as software on computer servers, gateways,network/routing devices (e.g., network routers), or data appliances(e.g., security appliances or other types of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies. Forexample, a firewall can filter inbound traffic by applying a set ofrules or policies. A firewall can also filter outbound traffic byapplying a set of rules or policies. Firewalls can also be capable ofperforming basic routing functions.

BRIEF DESCRIPTION OF THE DRAWINGS

Various embodiments of the invention are disclosed in the followingdetailed description and the accompanying drawings.

FIG. 1 is a functional diagram of a network architecture for providingpacket classification for network routing in accordance with someembodiments.

FIG. 2 is another functional diagram of a network architecture forproviding packet classification for network routing in accordance withsome embodiments.

FIG. 3 is a functional diagram of a security controller for providingpacket classification for network routing in accordance with someembodiments.

FIG. 4 is another functional diagram of a security controller forproviding packet classification for network routing in accordance withsome embodiments.

FIG. 5 is a block diagram of various components of a security controllerfor providing packet classification for network routing in accordancewith some embodiments.

FIG. 6 is a functional diagram of logical components of a securitycontroller for providing packet classification for network routing inaccordance with some embodiments.

FIG. 7 is a functional diagram of an architecture of a securitycontroller that can be used for providing packet classification fornetwork routing in accordance with some embodiments.

FIG. 8 is a flow diagram for providing packet classification for networkrouting in accordance with some embodiments.

FIG. 9 is another flow diagram for providing packet classification fornetwork routing in accordance with some embodiments.

DETAILED DESCRIPTION

The invention can be implemented in numerous ways, including as aprocess; an apparatus; a system; a composition of matter; a computerprogram product embodied on a computer readable storage medium; and/or aprocessor, such as a processor configured to execute instructions storedon and/or provided by a memory coupled to the processor. In thisspecification, these implementations, or any other form that theinvention may take, may be referred to as techniques. In general, theorder of the steps of disclosed processes may be altered within thescope of the invention. Unless stated otherwise, a component such as aprocessor or a memory described as being configured to perform a taskmay be implemented as a general component that is temporarily configuredto perform the task at a given time or a specific component that ismanufactured to perform the task. As used herein, the term ‘processor’refers to one or more devices, circuits, and/or processing coresconfigured to process data, such as computer program instructions.

A detailed description of one or more embodiments of the invention isprovided below along with accompanying figures that illustrate theprinciples of the invention. The invention is described in connectionwith such embodiments, but the invention is not limited to anyembodiment. The scope of the invention is limited only by the claims andthe invention encompasses numerous alternatives, modifications andequivalents. Numerous specific details are set forth in the followingdescription in order to provide a thorough understanding of theinvention. These details are provided for the purpose of example and theinvention may be practiced according to the claims without some or allof these specific details. For the purpose of clarity, technicalmaterial that is known in the technical fields related to the inventionhas not been described in detail so that the invention is notunnecessarily obscured.

A firewall generally protects networks from unauthorized access whilepermitting authorized communications to pass through the firewall. Afirewall is typically a device, a set of devices, or software executedon a device that provides a firewall function for network access. Forexample, a firewall can be integrated into operating systems of devices(e.g., computers, smart phones, or other types of network communicationcapable devices). A firewall can also be integrated into or executed assoftware applications on various types of devices or security devices,such as computer servers, gateways, network/routing devices (e.g.,network routers), or data appliances (e.g., security appliances or othertypes of special purpose devices).

Firewalls typically deny or permit network transmission based on a setof rules. These sets of rules are often referred to as policies (e.g.,network policies or network security policies). For example, a firewallcan filter inbound traffic by applying a set of rules or policies toprevent unwanted outside traffic from reaching protected devices. Afirewall can also filter outbound traffic by applying a set of rules orpolicies (e.g., allow, block, monitor, notify or log, and/or otheractions can be specified in firewall rules or firewall policies, whichcan be triggered based on various criteria, such as described herein).

Security devices (e.g., security appliances, security gateways, securityservices, and/or other security devices) can include various securityfunctions (e.g., firewall, anti-malware, and intrusionprevention/detection, and/or other security functions), networkingfunctions (e.g., routing, Quality of Service (QoS), workload balancingof network related resources, and/or other networking functions), and/orother functions. For example, routing functions can be based on sourceinformation (e.g., IP address and port), destination information (e.g.,IP address and port), and protocol information.

A basic packet filtering firewall filters network communication trafficby inspecting individual packets transmitted over a network (e.g.,packet filtering firewalls or first generation firewalls, which arestateless packet filtering firewalls). Stateless packet filteringfirewalls typically inspect the individual packets themselves and applyrules based on the inspected packets (e.g., using a combination of apacket's source and destination address information, protocolinformation, and a port number).

Application firewalls can also perform application layer filtering(e.g., application layer filtering firewalls or second generationfirewalls, which work on the application level of the TCP/IP stack).Application layer filtering firewalls or application firewalls cangenerally identify certain applications and protocols (e.g., webbrowsing using HyperText Transfer Protocol (HTTP), a Domain Name System(DNS) request, a file transfer using File Transfer Protocol (FTP), andvarious other types of applications and other protocols, such as Telnet,DHCP, TCP, UDP, and TFTP (GSS)). For example, application firewalls canblock unauthorized protocols that attempt to communicate over a standardport (e.g., an unauthorized/out of policy protocol attempting to sneakthrough by using a non-standard port for that protocol can generally beidentified using application firewalls).

Stateful firewalls can also perform stateful-based packet inspection inwhich each packet is examined within the context of a series of packetsassociated with that network transmission's flow of packets/packet flow(e.g., stateful firewalls or third generation firewalls). This firewalltechnique is generally referred to as a stateful packet inspection as itmaintains records of all connections passing through the firewall and isable to determine whether a packet is the start of a new connection, apart of an existing connection, or is an invalid packet. For example,the state of a connection can itself be one of the criteria thattriggers a rule within a policy.

Advanced or next generation firewalls can perform stateless and statefulpacket filtering and application layer filtering as discussed above.Next generation firewalls can also perform additional firewalltechniques. For example, certain newer firewalls sometimes referred toas advanced or next generation firewalls can also identify users andcontent (e.g., next generation firewalls). In particular, certain nextgeneration firewalls are expanding the list of applications that thesefirewalls can automatically identify to thousands of applications.Examples of such next generation firewalls are commercially availablefrom Palo Alto Networks, Inc. (e.g., Palo Alto Networks' PA Seriesfirewalls). For example, Palo Alto Networks' next generation firewallsenable enterprises to identify and control applications, users, andcontent—not just ports, IP addresses, and packets—using variousidentification technologies, such as the following: APP-ID for accurateapplication identification, User-ID for user identification (e.g., byuser or user group), and Content-ID for real-time content scanning(e.g., controls web surfing and limits data and file transfers). Theseidentification technologies allow enterprises to securely enableapplication usage using business-relevant concepts, instead of followingthe traditional approach offered by traditional port-blocking firewalls.Also, special purpose hardware for next generation firewallsimplemented, for example, as dedicated appliances, generally providehigher performance levels for application inspection than softwareexecuted on general purpose hardware (e.g., such as security appliancesprovided by Palo Alto Networks, Inc., which utilize dedicated, functionspecific processing that is tightly integrated with a single-passsoftware engine to maximize network throughput while minimizinglatency).

Security devices (e.g., firewall appliances) that can implement suchfirewall techniques, including advanced firewall techniques, aretypically integrated into traditional network architectures. However,new network architectures are evolving to meet the changing requirementsof enterprises, carriers, and end users. For example, such a newnetworking approach employs a Software Defined Networking (SDN)architecture. The Open Networking Foundation (ONF) has defined variousstandards for the SDN architecture.

Specifically, Software Defined Networking (SDN) is an emerging networkarchitecture in which network control is decoupled from forwarding(e.g., packet forwarding functionality) and is directly programmable. Inthe SDN architecture, the control and data planes are decoupled, networkintelligence and state information are logically centralized, and theunderlying network infrastructure is abstracted from the applications.ONF has defined a new standard protocol, referred to as the OpenFlow′protocol. The OpenFlow protocol generally can be used to structurecommunications between the control plane and data plane of networkdevices (e.g., including across multiple vendors' network devices thatsupport the OpenFlow protocol).

More specifically, OpenFlow is a standard communications interfacedefined between the control layer and forwarding layer of an SDNarchitecture (e.g., the OpenFlow Switch Specification is available athttp://www.openflow.org/). In some implementations, OpenFlow supportsdirect access to and manipulation of the forwarding plane of networkdevices (e.g., switches, routers, and/or other network devices), bothphysical and virtual (e.g., hypervisor-based).

The SDN architecture thereby allows enterprises and carriers to have newlevels of programmability, automation, and network control. Accordingly,SDN architectures can facilitate highly scalable, flexible networks thatcan efficiently and dynamically adapt to changing business needs.

However, such new network architectures that allow for new flexibilityand programmability require new approaches to securing such networks(e.g., SDN networks and/or other network architectures that decouple thecontrol and data planes). For example, the evolution of such dynamicnetwork architectures that allows, for example, for programmability offlows between different network devices in an enterprise does not ensurethat each flow would have to pass through a security device to enforce asecurity policy, such as an existing in-line firewall appliance.

Thus, what are needed are new techniques for packet classification fornetwork routing. Accordingly, techniques for packet classification fornetwork routing are disclosed. For example, various techniques forpacket classification for network routing that can be applied tosecuring SDN networks (e.g., SDN networks and/or other networkarchitectures that decouple the control and data planes) are disclosed.

In some embodiments, packet classification for network routing includesreceiving packets associated with a new flow at a security controllerfrom a network device, in which the network device performs packetforwarding; classifying the flow; and determining an action for the flowbased on a policy (e.g., a security policy). In some embodiments, thenetwork device is a Software Defined Network (SDN) network device (e.g.,a packet forwarding device that supports the OpenFlow protocol oranother protocol).

In some embodiments, packet classification for network routing furtherincludes instructing the network device to perform the action for theflow (e.g., using an API mechanism and/or a tagging mechanism). Exampleactions can include the following actions: drop the flow, ignore theflow, and shunt the flow (e.g., instructing the security device tocontinue to send packets to the security controller for further analysisand classification(s)).

For example, SDN networks (e.g., SDN networks and/or other networkarchitectures that decouple the control and data planes) can be used toprovide for more flexible and dynamic network architectures that areused for various changing network patterns, such as resulting from anincreasing use of various types of mobile devices by end users (e.g.,including a rise in any device to any device from anywhere communicationrequirements), a rise in use of various private and public cloudservices, and/or a growth of big data requiring greater bandwidthrequirements (e.g., to support the movement of very large data setsacross many servers, such as for parallel processing purposes). Thesetrends also create significant security challenges for enterprisesand/or service providers deploying such networks.

Accordingly, various techniques for packet classification for networkrouting are described herein that can be used to facilitate security insecuring such SDN networks (e.g., SDN networks and/or other networkarchitectures that decouple the control and data planes) and maintainingconsistent security policies in such increasing network architecturecomplexities while maintaining efficient and scalable network solutionsthat are secured. For example, a security controller (e.g., aclassification device or classification engine) can be provided thatefficiently classifies network flows so that there is minimal impact toa networking device while providing packet classification informationthat allows packets to be more efficiently directed to their destinationby the networking device.

In some embodiments, various techniques for providing packetclassification for network routing can be implemented in a networkarchitecture in which a network device identifies new flows and sendsthe identified new flows to a security controller (e.g., classificationdevice or classification engine) that analyzes packets associated witheach new flow to provide for a classification of each new flow, and thesecurity controller then instructs the network device based on theclassification and decision, to then perform an action (e.g., ignore,drop, shunt for further security analysis/classification, and/or otheractions) on processing of each new flow. A particular problem thatarises with SDN architectures that allow for open flows is that suchnetwork flows can be switched or routed anywhere (e.g., there is noguarantee that a given flow would have to pass through a securityappliance/gateway or other security device that would typically beplaced inline in typical network architectures), so a mechanism isneeded to ensure that each new flow is inspected properly (e.g., forcompliance with a security policy). Various techniques for providingpacket classification for network routing in such network environmentsare further described below.

FIG. 1 is a functional diagram of a network architecture for providingpacket classification for network routing in accordance with someembodiments. As shown, client device or server device 102 is incommunication with client device or server device 108 via SDN networkdevice 104 (e.g., a network device that is SDN-compliant/compatible,such as a switch, router, and/or another type of network device, whichcan be a physical network device and/or a virtual network device, suchas hypervisor-based). As also shown, security controller 106 is providedthat is in communication with SDN network device 104. In someembodiments, security controller 106 is in communication with multipledifferent SDN network devices.

In particular, FIG. 1 illustrates a simplified, logical view of an SDNarchitecture in accordance with some embodiments. For example, securityintelligence can be logically centralized in software-based SDNcontrollers (e.g., security controller 106), which can maintain a globalview of the network and ensure that security policies are consistentlyimplemented across the SDN network. As another example, multipledifferent SDN network devices can be used to forward packets betweenclient device or server device 102 and client device or server device108. In some embodiments, security controller 106 is implemented using acloud security service, in which packets can be communicated (e.g.,using a secure protocol, such as the OpenFlow protocol or another secureprotocol, which can provide for secure communications over publicnetworks, such as the Internet) from SDN network devices forclassification of (new) flows using various techniques as describedherein with respect to various embodiments.

In some implementations, security controller 106 is provided as asecondary controller of SDN network devices (e.g., SDN network device104) in the SDN architecture, in which primary controllers are providedfor providing primary logical control for the SDN network devices (e.g.,for providing basic switching and routing logical functions). In someimplementations, security controller 106 is provided as a secondarycontroller of SDN network devices (e.g., SDN network device 104) in theSDN architecture, in which the secondary controller can be integratedwith a primary controller and/or executed as a separate engine(s) (e.g.,implemented in software executed on a processor(s) of the device,implemented in hardware such as an FPGA or other hardwareimplementation, and/or implemented using a combination of software andhardware) on a device that also executes an engine(s) for a primarycontroller. In some implementations, security controller 106 is providedas a secondary controller of SDN network devices (e.g., SDN networkdevice 104) in the SDN architecture, in which the secondary controllercan be provided on a second device that executes an engine(s) for thesecondary controller, and in which a first device executes an engine(s)for the primary controller. In some implementations, the secondarycontroller and/or the primary controller can be implemented in softwareexecuted on a device (e.g., appliance, server, and/or other computingdevice), implemented in hardware of the device, and/or a combinationthereof.

In some embodiments, SDN network device 104, such as a switch or arouter (e.g., an L2 network device, an L3 network device, or an L2/L3/L7device), passes packets of a flow to security controller 106. In someembodiments, security controller 106 is capable of performing variouspacket classification techniques (e.g., including applicationidentification (APP-ID), user identification (USER-ID), and/or otherfirewall and/or advanced firewall related classification techniques andstate-based flow classification techniques, such as described herein).

In some embodiments, SDN network device 104 networking device uses theclassification in the packet to more efficiently direct the packet(e.g., how to switch/route the packet, whether to drop the packet,and/or some other action to perform) such as further described hereinwith respect to various embodiments. In some embodiments, securitycontroller 106 classifies a packet of a new flow and associates theclassification with the packet (e.g., using a tagging mechanism to tagthe packet, such as described herein) before returning the packet to SDNnetwork device 104, such as further described herein with respect tovarious embodiments. In some embodiments, security controller 106classifies a packet of a new flow and instructs the SDN network device104 on how to process the flow based on the classification using an APImechanism, such as further described herein with respect to variousembodiments. For example, if the classification device determines thatit is no longer necessary to classify packets of a given flow (e.g.,further classification of the flow will not occur or is unlikely), amessage (e.g., ignore action instruction) can be sent to the SDN networkdevice informing it that packets of the specified flow no longer need tobe sent to the classification device.

In some implementations, an SDN network device and a primary controllercan be provided by commercially available solutions from, for example,Arista Networks, Cisco Systems, and/or other commercial networkingvendors. In some implementations, an SDN network device and a primarycontroller can be provided by a virtual switch (e.g., a software basedswitch), such as a proprietary virtual switch and/or an open sourcedvirtual switch such as provided by OpenvSwitch (e.g., available athttp://openvswitch.org). In some implementations, security controller106 is provided by a commercial security vendor, such as Palo AltoNetworks, which provides various Next Generation FireWall (NGFW)solutions. For example, an SDN network device from Arista Networks canrecognize a new flow and send the new flow to a Palo Alto Networkssecurity controller (e.g., a security appliance and/or security enginethat can classify flows and apply policies based on classified flows toinstruct SDN networks on how to handle such flows based on a securitypolicy). In particular, the Palo Alto Networks security controller canclassify a flow and make a decision on how to process the classifiedflow (e.g., drop, such as based on an ACL based on 5-tuple to drop allpackets for the remainder of that flow; shunt, such as if a policyindicates that the flow should be inspected further in which case thesecurity controller can be effectively placed inline to monitor all ofthe traffic for that flow; or ignore, such as if a policy indicates toleave that flow alone—do not drop and do not further inspect).

For example, an NGFW solution can be provided as a security controller106. The SDN network device 104 can send all new flows to securitycontroller 106 for inspection (e.g., which can be configured to inspecta predetermined minimum number of packets of each new flow for initialclassification). In some cases, the NGFW solution can be implemented inhardware on SDN network device 104. SDN network device 104 receives anew flow, forwards a predetermined number of packets to securitycontroller 106 for classification and analysis (e.g., based on a policy,such as a security policy), and SDN network device 104 can either waitfor a response from the security controller (e.g., via open flow or API)or install the flow into hardware (e.g., fast path). If an assessment isreturned from the security controller with an action (e.g., drop), thenthe SDN network device would create the appropriate rule (e.g., AccessControl List (ACL)) and drop the corresponding traffic. In particular,security controller 106 can classify a flow for the following actions:drop, shunt, ignore. For the first two actions (i.e., drop or shunt),security controller 106 can instruct SDN network device 104 via, forexample, OpenFlow or direct API communication to perform the action. Inthe shunt case, all traffic from that flow would be directed to securitycontroller 106 for continuing inspection (e.g., the security controlleris effectively placed inline for the shunted flow). Ignore would requireno signaling as the specific flow is already installed in the forwardingtable of SDN network device 104.

In some embodiments, security controller 106 includes variousclassification functions, such as various layer-2, layer-3, and higherlayer classification engines, such as application identification engine,user identification engine, and/or can perform various otherfirewall-based classification and advanced firewall classificationtechniques, such as described herein, which, for example, can beimplemented using computing hardware, software, or various combinationsthereof.

As further described below with respect to FIG. 2, the classificationperformed by a security controller can be implemented as a separatedevice, within the networking device, as a virtual machine, and/or usingvarious other techniques.

FIG. 2 is another functional diagram of a network architecture forproviding packet classification for network routing in accordance withsome embodiments. As shown, client device or server device 202 is incommunication with client device or server device 208 via SDN networkdevice 204 (e.g., a network device that is SDN-compliant/compatible,such as a switch, router, and/or another type of network device, whichcan be a physical network device and/or a virtual network device, suchas hypervisor-based). As also shown, security controller 206 is providedthat is integrated with SDN network device 204. For example, securitycontroller 206 can be implemented in hardware on SDN network device 204.As another example, security controller 206 can be implemented insoftware executed on a processor(s) of SDN network device 204. In someimplementations, security controller 206 is implemented in a controllayer of SDN network device 204 as shown.

As will now be apparent, some or all of the functions described hereincan be assisted by or implemented in whole or in part by a securitycontroller that can be implemented as a separate security controllerdevice, a security controller device that is implemented as anintegrated part of an SDN network device, as hardware, as asoftware-based solution executed on a physical device, a virtual networkdevice, such as hypervisor-based, and/or as a security cloud service. Asecurity cloud service can, for example, reduce the processing on theSDN network device. As another example, detection of security policyviolations and/or vulnerabilities can be reported to a security cloudservice.

FIG. 3 is a functional diagram of a security controller for providingpacket classification for network routing in accordance with someembodiments. As shown, SDN network device 304 (e.g., a network devicethat is SDN-compliant/compatible, such as a switch, router, and/oranother type of network device, which can be a physical network deviceand/or a virtual network device, such as hypervisor-based) is incommunication with security controller 306. In this embodiment, securitycontroller 306 is shown as integrated with SDN network device 304. Forexample, security controller 306 can be implemented in hardware on SDNnetwork device 304. As another example, security controller 306 can beimplemented in software executed on SDN network device 304 (e.g., orimplemented using a combination of hardware and software). In someimplementations, a security controller 306 is implemented in a device,and a separate, distinct device implements a primary controller (e.g.,primary controllers are provided for providing primary logical controlfor the SDN network devices, such as for providing basic switching androuting logical functions that can be communicated to SDN network device304).

In some embodiments, a protocol, such as the OpenFlow protocol, isimplemented on both sides of an interface between network infrastructuredevices (e.g., SDN network device) and the SDN control software (e.g., asecurity controller). In some embodiments, the flows identified usingOpenFlow techniques can be used by a security controller (e.g., securitycontroller 306) for providing packet classification for network routing.For example, OpenFlow uses the concept of flows to identify networktraffic based on pre-defined match rules that can be statically ordynamically programmed by SDN control software. A policy, such as asecurity policy, can be configured to define how traffic should flowthrough network devices based on parameters, such as applications,users, devices, cloud resources, malware related information,source/destination information, device information, and/or otherinformation. Accordingly, OpenFlow can be used to program the network ona per-flow basis, which provides granular control over the network torespond to real-time changes at the application, user, and sessionlevels.

For example, a security controller (e.g., security controller 306) cananalyze flows forwarded from the data plane (e.g., SDN network device304), determine how to handle such flows based on a policy (e.g., asecurity policy), and provide instructions (e.g., based on actions) formanipulation of the forwarding plane of network devices (e.g., SDNnetwork device 304). As would be apparent to one of ordinary skill inthe art, such OpenFlow-based SDN techniques can be deployed on existingnetworks, both physical and virtual. As also would be apparent, suchnetwork devices can support OpenFlow-based forwarding as well astraditional forwarding, which allows enterprises and carriers toprogressively introduce OpenFlow-based SDN technologies, even inmulti-vendor network environments.

Referring to FIG. 3, security controller 306 includes a flowclassification table 308. SDN network device 304 identifies new flowsand can be configured to forward packets of new flows to securitycontroller 306 (e.g., which may require receiving a sufficient number ofpackets for the flow to obtain sufficient information for classifyingthe flow and to make a determination for an action for the classifiedflow based on security policy). Security controller 306 then analyzespackets for each new flow to perform a classification for each new flow.Flow classification table 308 includes various information for eachanalyzed flow, including a MAC source (MAC src), MAC destination (MACdst), IP source (IP src), IP destination (IP dst), TCP destination port(TCP dprt), user (User ID), application (APP ID), and possibly otherinformation. Based on this information for each flow and based on apolicy (e.g., a security policy), security controller 306 can determinean action to instruct SDN network device 304 to perform against theflow. Example actions can include ignore, shunt, drop, and/or variousother actions. For example, known malicious traffic can be dropped, orapplications that are not allowed based on a security policy (e.g.,music streaming, voice over IP, and/or other applications) can bedropped. As another example, certain application traffic may be allowedbased on a user (e.g., Alice may be allowed to use FTP, but Bob may notbe allowed to use FTP over the enterprise network of ACME Corporation),in which case if it is allowed, then the action can be to ignore (e.g.,SDN network device can be instructed to not send further packetsassociated with that flow to security controller 306), but if it may notbe allowed, then the action can be to drop or to shunt (e.g., SDNnetwork device can be instructed to send further packets associated withthat flow to security controller 306 for further inspection to determinewhether the flow should be dropped or ignored). As yet another example,certain flows may require further inspection to make a determination onwhether to allow or block such flows, such as HTTP traffic (e.g.,certain HTTP traffic may be allowed and other HTTP traffic may beblocked based on a security policy, which can also depend on a userand/or other information associated with the flow, such as for anevolving web session related flow, in which, for example, a web browserinitially visits a search engine home page to perform standard websearching but then navigates user to a web-based chat service that maynot be allowed such that further monitoring and inspection of such aflow can be required for ensuring security policy compliance for thatflow). As a further example, for a long-running, high-throughput flow(e.g., elephant flow, such as for storage area network traffic, and/orother permissible, high volume data flows), security controller 306 caninstruct SDN device 304 to ignore such flows to bypass further securityprocessing (e.g., analysis and classification using the securitycontroller).

In some embodiments, security controller 306 is provided to implementvarious network services, including security services (e.g., based on apolicy, such as a security policy that can be customized/configured foran enterprise). For example, an enterprise can define and enforceconsistent security policies across both wired and wireless connectionson an enterprise network using various techniques described herein. Asanother example, an enterprise can implement secure cloud services usingvarious techniques described herein.

In some embodiments, a set of APIs for security services (e.g., an APImechanism) is provided to facilitate communication between securitycontroller 306 and SDN network device 304 to allow security controller306 to communicate various security related instructions based onpacket/flow classification implemented using security controller 306. Insome implementations, a set of APIs for security services can be definedas public or open APIs that can facilitate support across differentvendors, in which different devices (e.g., SDN network devices) can beconfigured to support and interoperate with such public, open APIs forsecurity services. In some implementations, the APIs for securityservices can be standardized to facilitate interoperability and supportby devices provided by various commercial vendors.

In some embodiments, an API mechanism is used by a security controller(e.g., security controller 306) to instruct a network device (e.g., SDNnetwork device 304) using API communications. For example, the securitycontroller can directly pass classification decisions or instructions toa network device via API communication(s). An example communication isan HTTPS post to a REST-based API indicating that the network deviceshould, for example, drop the flow, such as, the following HTTPS post:https://sdndevice/api/flowID=000000000854&flowACTION=drop&key=6TGM9bXcwM3JHUG where flowID represents the unique identifier for the flow andflowACTION represents an action associated with a classification, suchas DROP/SHUNT/IGNORE.

In some embodiments, a tagging mechanism is used by a securitycontroller (e.g., security controller 306) to instruct a network device(e.g., SDN network device 304) using a protocol (e.g., OpenFlow protocoland/or another protocol). In some implementations, the packet can bemarked or tagged using a security controller to communicate an action(e.g., security controller 306 can add metadata to a packet flow for SDNdevices using a tag, such as a standardized OpenFlow tag). The securitycontroller can also directly communicate classification information withthe networking device via OpenFlow controller-to-switch mechanisms ordirectly mark the packet utilizing OpenFlow or other protocols to embedmeta-data regarding the classification of the flow or to affect theforwarding of the flow. When a packet arrives that does not match anyflow table entry, the networking device can provide a copy or forwardthe packet to the security controller for classification, onceclassified the security controller can define a new flow for that packetand send the entry or entries to the networking device to be added tothe flow table. An instruction can also be added by the securitycontroller to add a value called metadata to a packet, which will bematched against the metadata value in the flow table entries. Actionsand priorities can also be inserted to affect the forwarding of thepacket, reclassification, and/or rewriting packet information such assource or destination Internet protocol addresses. For example, metadatacan be set to drop, shunt, or ignore to provide instruction to thenetwork device, or action can be set to simply drop the flow via anempty instruction set or to a more complex instruction set such asoutput:5, security-controller where the packet will be forwarded viaport number 5 and output packet to the security-controller forclassification.

For example, using various techniques described herein, an InformationTechnology (IT) administrator (e.g., network admin or security admin)can define high-level configuration and policy statements for securityof an enterprise network, which are then automatically translated to thenetwork infrastructure using OpenFlow to maintain a consistent securitypolicy across the enterprise network (e.g., which can include manydifferent network devices, including from different vendors).Accordingly, by implementing such an OpenFlow-based SDN architecture,the IT admin is not required to individually configure network deviceseach time an end point, service, or application is added or moved, or asecurity policy changes, which reduces the risks of policyinconsistencies and/or other security risks due to improper networkdevice configurations. The use of such security controllers in SDNnetwork architectures can also provide for a consistent enforcement of asecurity policy across the wired and wireless network infrastructures,including branch offices, campuses, and data centers.

FIG. 4 is another functional diagram of a security controller forproviding packet classification for network routing in accordance withsome embodiments. As shown, SDN network device 400 (e.g., a networkdevice that is SDN-compliant/compatible, such as a switch, router,and/or another type of network device, which can be a physical networkdevice and/or a virtual network device, such as hypervisor-based) is incommunication with security controller 406. In this embodiment, securitycontroller 406 is shown as integrated with SDN network device 400. Forexample, security controller 406 is can be implemented in hardware onSDN network device 400. As another example, security controller 406 iscan be implemented in software executed on SDN network device 400 (e.g.,or implemented using a combination of hardware and software). In someimplementations, security controller 406 is implemented in control layer402 of SDN network device 400, and SDN device logic is implemented indata layer 404 of SDN network device 400, as shown.

FIG. 5 is a block diagram of various components of a security controller500 for providing packet classification for network routing inaccordance with some embodiments. The example shown is a representationof physical components that can be included in a security controller(e.g., security controller 106 or security controller 206).Specifically, security controller 500 includes a high performancemulti-core CPU 502 and RAM 504. Security controller 500 also includes astorage 510 (e.g., one or more hard disks or solid state storage units),which is used to store policy and other configuration information aswell as signatures. Security controller 500 can also include one or moreoptional hardware accelerators. For example, security controller 500 caninclude a cryptographic engine 506 configured to perform encryption anddecryption operations, and one or more FPGAs 508 configured to performsignature matching, act as network processors, and/or perform othertasks.

FIG. 6 is a functional diagram of logical components of a securitycontroller 600 for providing packet classification for network routingin accordance with some embodiments. The example shown is arepresentation of logical components that can be included in securitycontroller 600. As shown, security controller 600 includes a managementplane 602 and a data plane 604. In some embodiments, the managementplane is responsible for managing user interactions, such as byproviding a user interface for configuring policies, such as policies620 as shown, and viewing log data. The data plane is responsible formanaging data, such as by performing packet processing and sessionhandling.

Network processor 606 is configured to receive packets of new flows fromSDN network devices, and provide the packets to data plane 604 forprocessing. Flow 608 identifies the packets as being part of a newsession and creates a new session flow. Subsequent packets will beidentified as belonging to the session based on a flow lookup. Ifapplicable, SSL decryption is applied using, for example, an SSLdecryption engine using various techniques as described herein. Useridentification module 610 is configured to identify a user associatedwith the traffic flow. Application identification module 612 isconfigured to determine what type of traffic the session involves, suchas HTTP traffic, HTTPS traffic, FTP traffic, SSL traffic, SSH traffic,DNS requests, unclassified application traffic (e.g., unknownapplication traffic), and/or other types of traffic (e.g., traffic usingother types of known or unknown protocols). For example, applicationidentification module 612 can recognize a GET request in the receiveddata and conclude that the session requires an HTTP decoder. For eachtype of protocol, there exists a corresponding decoder 614. Based on thedetermination made by application identification module 612, the packetsof each flow are sent to an appropriate decoder 614. Decoder 614 isconfigured to assemble packets (e.g., which may be received out oforder) into the correct order, perform tokenization, and extract outinformation (e.g., to identify username/password credentials beingsubmitted to an external site for user authentication). Decoder 614 alsoperforms signature matching to determine what should happen to thepacket. In some embodiments, decoding also includes performing SSLencryption (e.g., using an SSL encryption/decryption engine(s)) usingvarious techniques as described herein. Based on results of the dataplane processing using flow 608, user ID module 610, application IDmodule 612, and decoder 614, an action determination is performed asshown at 616. Based on the determined action (616), the SDN networkdevice is instructed to perform an action as shown at 618. As alsoshown, signatures 622 are received and stored in the management plane602. In some embodiments, policy enforcement (e.g., policies 620 caninclude one or more rules, which can be specified using domain and/orhost/server names, and rules can apply one or more signatures or othermatching criteria or heuristics, such as for providing security policyfor an enterprise network) using signatures are applied as describedherein with respect to various embodiments based on the monitored,decrypted, identified, and decoded session traffic flows.

FIG. 7 is a functional diagram of an architecture of a securitycontroller that can be used for providing packet classification fornetwork routing in accordance with some embodiments. As shown, networktraffic is monitored at security controller 700. In some embodiments,packets associated with new traffic flows are received from SDN networkdevices for analysis by security controller 700, which can thendetermine an action based on a packet classification of packetsassociated with each new flow and based on a policy (e.g., a securitypolicy) as described herein with respect to various embodiments.

In some embodiments, traffic flows are monitored using a state-basedfirewall. In some embodiments, the state-based firewall can monitortraffic flows using an APP-ID engine (e.g., App Signature Check & UserID Check 708). For example, the monitored network traffic can includeHTTP traffic, HTTPS traffic, FTP traffic, SSL traffic, SSH traffic, DNSrequests, unclassified application traffic (e.g., unknown applicationtraffic), and/or other types of traffic (e.g., traffic using other typesof known or unknown protocols).

As shown in FIG. 7, network traffic monitoring begins at 702. An IPaddress and port engine 704 determines an IP address and port number fora monitored traffic flow (e.g., a session) based on packet analysis. Apolicy check engine 706 determines whether any policies can be appliedbased on the IP address and port number. In some implementations, a userID check engine and an App-ID engine can be implemented in an appsignature check and user ID check engine 708 as shown, or can beimplemented in separate engines or modules. For example, a useridentification can be determined for a flow, for example, using user IDcheck engine 708 (e.g., user ID can be deduced based on the source IPaddress). As also shown in FIG. 7, an application signature check engine708 identifies an application (e.g., using an APP-ID engine usingvarious application signatures for identifying applications based onpacket flow analysis). For example, APP-ID engine 708 can be configuredto determine what type of traffic the session involves, such as HTTPtraffic, HTTPS traffic, FTP traffic, SSL traffic, SSH traffic, DNSrequests, unknown traffic, and various other types of traffic, and suchclassified traffic can be directed to an appropriate decoder, such asdecoders 712, 714, and 716, to decode the classified traffic for eachmonitored session's traffic flow. If the monitored traffic is encrypted(e.g., encrypted using HTTPS, SSL, SSH, or another known encryptionprotocol), then the monitored traffic can be decrypted using a decryptengine 710 (e.g., applying trusted man-in-the-middle techniques using aself-signed certificate). A known protocol decoder engine 712 decodesand analyzes traffic flows using known protocols (e.g., applying varioussignatures for the known protocol) and reports the monitored trafficanalysis to a report and enforce policy engine 720. Identified traffic(no decoding required) engine 714 reports the identified traffic to thereport and enforce policy engine 720. An unknown protocol decoder engine716 decodes and analyzes traffic flows (e.g., applying variousheuristics) and reports the monitored traffic analysis to the report andenforce policy engine 720. For example, the report and enforce policyengine 720 can communicate action instructions to the SDN networkdevices (e.g., drop, ignore, or shunt a flow).

In some embodiments, the results of the various traffic monitoringtechniques using known protocol decoder engine 712, identified trafficengine 714, and unknown protocol decoder engine 716 described above areprovided to report and enforce policy engine 720 (e.g., network/routingpolicies, security policies, and/or firewall policies). For example,firewall policies can be applied to the monitored network traffic usingapplication identification, user identification, and/or otherinformation to match signatures (e.g., file-based, protocol-based,and/or other types/forms of signatures for detecting malware orsuspicious behavior).

In some embodiments, security controller 700 also includes a content-IDengine (not shown), and, in some embodiments, the content-ID engine'sidentified content is also used by report and enforce policy engine 720,possibly in various combinations with other information, such asapplication, user, and/or other information, to enforce varioussecurity/firewall policies/rules.

In some embodiments, various other functional architectures and flowsare provided to implement techniques for providing packet classificationfor network routing as described herein. For example, some of thesefunctions can be implemented in software executed on a general processorand/or some of these functions can be implemented using hardwareacceleration techniques for faster packet processing of network traffic.

FIG. 8 is a flow diagram for providing packet classification for networkrouting in accordance with some embodiments. At 802, receiving packetsassociated with a new flow at a security controller from a networkdevice is performed, in which the network device performs packetforwarding. At 804, classifying the flow is performed. For example,classification can be based on port, IP address, application, user,device, and/or various other aspects, such as described herein withrespect to various embodiments. At 806, determining an action for theflow based on a policy (e.g., a security policy) is performed. In someembodiments, the network device is a Software Defined Network (SDN)network device (e.g., a packet forwarding device that supports theOpenFlow protocol or another protocol).

FIG. 9 is another flow diagram for providing packet classification fornetwork routing in accordance with some embodiments. At 902, receivingpackets associated with a new flow at a security controller from anetwork device is performed, in which the network device performs packetforwarding. At 904, classifying the flow is performed. For example,classification can be based on port, IP address, application, user,device, and/or various other aspects, such as described herein withrespect to various embodiments. At 906, determining an action for theflow based on a policy (e.g., a security policy) is performed. In someembodiments, the network device is a Software Defined Network (SDN)network device (e.g., a packet forwarding device that supports theOpenFlow protocol or another protocol). At 908, instructing the networkdevice to perform the action for the flow is performed (e.g., using anAPI mechanism or a tagging mechanism). At 910, receiving new packetsassociated with a shunted flow at the security controller from thenetwork device is performed. At 912, further classifying the shuntedflow is performed. For example, based on such further classification anda security policy, the shunted flow can be determined to be a flow thatcan be ignored or dropped, in which case an appropriate action based onthe determination can be communicated to the network device from thesecurity controller.

Although the foregoing embodiments have been described in some detailfor purposes of clarity of understanding, the invention is not limitedto the details provided. There are many alternative ways of implementingthe invention. The disclosed embodiments are illustrative and notrestrictive.

What is claimed is:
 1. A system, comprising: a processor configured to:receive packets associated with a new flow at a security controller froma network device, wherein the network device performs packet forwarding;classify the flow based on an application determined to be associatedwith the flow; determine an action for the flow based on a policy; andinstruct the network device to perform the action for the flow, whereinthe action is to drop the flow or ignore the flow; and a memory coupledto the processor and configured to provide the processor withinstructions.
 2. The system recited in claim 1, wherein the networkdevice is a Software Defined Network (SDN) network device.
 3. The systemrecited in claim 1, wherein the policy is a security policy.
 4. Thesystem recited in claim 1, wherein the policy is a security policy thatincludes an allow or a block rule based on an application and a user. 5.The system recited in claim 1, wherein the instructing of the networkdevice to perform the action for the flow is based on an API mechanism.6. The system recited in claim 1, wherein instructing of the networkdevice to perform the action for the flow is based on tagging a packetassociated with the flow.
 7. A method, comprising: receiving packetsassociated with a new flow at a security controller from a networkdevice, wherein the network device performs packet forwarding;classifying the flow based on an application determined to be associatedwith the flow; determining an action for the flow based on a policy; andinstructing the network device to perform the action for the flow,wherein the action is to drop the flow or ignore the flow.
 8. The methodrecited in claim 7, wherein the network device is a Software DefinedNetwork (SDN) network device.
 9. The method recited in claim 7, whereinthe policy is a security policy.
 10. The method recited in claim 7,wherein the policy is a security policy that includes an allow or ablock rule based on an application and a user.
 11. The method recited inclaim 7, wherein the instructing of the network device to perform theaction for the flow is based on an API mechanism.
 12. The method recitedin claim 7, wherein instructing of the network device to perform theaction for the flow is based on tagging a packet associated with theflow.
 13. A computer program product, the computer program product beingembodied in a non-transitory computer readable storage medium andcomprising computer instructions for: receiving packets associated witha new flow at a security controller from a network device, wherein thenetwork device performs packet forwarding; classifying the flow based onan application determined to be associated with the flow; determining anaction for the flow based on a policy; instructing the network device toperform the action for the flow, wherein the action is to drop the flowor ignore the flow.
 14. The computer program product recited in claim13, wherein the network device is a Software Defined Network (SDN)network device.
 15. The computer program product recited in claim 13,wherein the policy is a security policy.
 16. The computer programproduct recited in claim 13, wherein the policy is a security policythat includes an allow or a block rule based on an application and auser.
 17. The computer program product recited in claim 13, wherein theinstructing of the network device to perform the action for the flow isbased on an API mechanism.
 18. The computer program product recited inclaim 13, wherein instructing of the network device to perform theaction for the flow is based on tagging a packet associated with theflow.